Dear User,
pursuant to and for the purposes of (i) Legislative Decree n. 196 of 30 June 2003, the “Privacy Code”, (ii) EU Regulation 2016/679 on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data”, the “GDPR”, articles 13 and 14, rules also jointly referred to as the “Privacy Regulations”, there are some obligations on those who carry out the processing – “the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, comparison, interconnection, restriction, deletion or destruction” - (hereinafter the “Processing”) of information concerning an identified or identifiable natural person (the “Interested Party”).

EtooPharma S.r.l., vat n. 04710380195, with registered office in Via Marco Biagi, 95 - 24030 Terno d’Isola (Bergamo) (the “Company”) wishes to inform you, in the following sections, about the methods and purposes of the processing of your personal data.

Data Controller
The Data Controller is the entity that determines the purposes and the means of the processing of personal data (the “Data Controller”), and is identified in the Company, in the person of the Chief Executive Officer pro tempore. The Data Controller may be contacted by e-mail at info@valefin.com.

Methods of collecting the data of the Interested Party
The Data Controller may take possession of your data in the following circumstances:

• in the event of a contact request made through the Company's website, by e-mail or by telephone, in order to request information on the services and products provided by the Company;
• in the event of a purchase or request for a service provided by the Company, including pre-contractual negotiations;
• if you provide your data in order to receive commercial communications, newsletters and/or to be updated on events organised and marketing initiatives undertaken by the Company;
• if the Data Controller business partners legitimately transfer your personal data to the Data Controller.

Categories of data subject to Processing
The following categories of personal data relating to you exemplify the types of data that may be collected through the services and contact channels described in this document: Contact data - information concerning name, address, e-mail address.
Other personal data - information you provide us with regarding your date of birth, identity document, tax code, bank details, IBAN and wallet address.
Administrative/accounting data - information relating to your contractual/administrative data (invoices, balances, outstanding payments).
Interests - information you provide us about your interests, habits and consumption, including the type of products and services in which you are interested.
Online account data - information about the personal accounts you create on our sites (the “Account”).
Mobility Data – information about location and socio-demographic information.
Site and Communications Usage - information about how you use our site, open or forward our communications, including information collected through cookies and other tracking technologies (you can find our Cookie Policy here).

Purpose of Processing, legal basis and storage period
Your personal data will be processed, for the purposes described below, mainly by computer tools:

1. Responding to your specific requests: the Data will be used to respond to your specific requests for information and/or services. The provision of Data is required and any responsibility regarding the correctness and/or completeness of the data provided is in the hands of the Interested Party. Legal basis of the processing: to implement pre-contractual measures (art.6 par.1 lett. b of the GDPR). Data retention policy: the Data will be kept for the time strictly necessary to pursue the purposes for which it was collected and in any case no longer than ten years from receipt of the request.
2. Execution of the contract: the Data will be used for the purpose of responding to any request for information concerning the products and services offered by the Company or to acquire any other preliminary information necessary for the execution of the contract with you. Legal basis of the processing: to execute pre-contractual measures or a contract to which you are party (art.6 par.1 lett. b of the GDPR). Data retention policy: Data provided as part of your request or for making an estimate will be retained for a maximum of five years. Data processed to execute a contract may be kept for the entire duration of the relationship as well as for ten years from the date of its termination.
3. Creation and management of Accounts: Data will be used to allow the user to create the Account, as well as in order to provide the requested services. Online Account Data as well as Data relating to the use of the site and communications will be processed in order to allow access to various services offered by the Website. The provision of the Data in the forms marked with an asterisk is required, while for other data the provision is optional. Any refusal to provide compulsory data or any subsequent lack of authorisation to process such data may make it impossible for the Data Controller to provide the services. Legal basis for processing: to execute the contract to which you are party (art. 6 par. 1 lett. b of the GDPR). Data retention policy: the Data will be kept until your request to cancel your online Account or unsubscribe.
4. Sharing information relating to the existing relationship: the Data will be used to allow you to access to information relating to the existing administrative/accounting relationship (invoices, balances, outstanding payments) and/or relating to services through the reserved area. The provision of the Data is compulsory; any refusal to provide them or any subsequent lack of authorisation for their processing may make it impossible for the Data Controller to provide the service. Legal basis of the processing: to execute the contract to which you are party (art. 6 par. 1 lett. b of the GDPR). Data retention policy: the Data will be kept until your request to cancel your online Account or unsubscribe, and in any case for a period no longer than the period established for the retention of shared documentation.
5. Fulfilment of binding obligations: the Data may be processed in order to fulfil any civil, administrative, fiscal, accounting obligation provided by law, by a regulation, by European legislation or by an order of the Authority and arising from the relationship(s) with you. The provision of Data is mandatory as it is required for the fulfilment of legal and contractual obligations. Any refusal to provide them or any subsequent lack of authorisation to process them may result in the impossibility for the Data Controller to implement the existing contractual relationship. Legal basis of the processing: to implement the relationship to which you are party (art. 6 par. 1 lett. b of the GDPR), to fulfil a legal obligation to which the Data Controller is subject (art. 6 par. 1 lett. c of the GDPR). Data Retention Policy: Data may be kept as long as necessary to fulfil legal obligations and, in any case, for the entire duration of the contract as well as for ten years after the end of the fiscal year following the relevant year.
6. Defence in court for the Controller's rights: if the obligation arises, the Controller Data shall provide information concerning you to the Authorities and to those who are responsible for the application of the law, regulations and judicial acts, as well as to third parties in litigation. The Data Controller reserves the right to process the Data in order to prevent possible risks and frauds, as well as to defend its own rights deriving from the contract in judicial or extrajudicial proceedings, also for the purposes of possible debt collection, directly or through third parties (debt collection agencies/legal entity) to whom the Data will be communicated only for such purposes. The provision of Data is compulsory as it is required for the fulfilment of legal and contractual obligations. Any refusal to provide them or any subsequent lack of authorisation to process them may result in the impossibility for the Data Controller to pursue the contractual relationship in place. Legal basis of the processing: for the pursuit of a legitimate interest of the Data Controller consisting in preventing possible fraud or defending its own right or making any claim arising from the existing business relationship with you, unless your interests or fundamental rights prevail (Art. 6 par. 1 lett. f of the GDPR). Data Retention Policy: Data may be retained for up to three years following the termination of the contractual liability between the parties.
7. Taking part in events such as prize competitions and/or point collections: the Data may be processed in order to manage your participation in prize contests and/or point collections organised by the Data Controller. The provision of Data is optional and the failure to provide it or to authorise its processing will make it impossible to undertake the activities indicated therein. Legal basis of the processing: to implement pre-contractual measures or a contract to which you are party (art.6 par.1 lett. b of the GDPR). Data retention policy: the Data will be kept for the time strictly necessary for the management of the event and in any case for a period not exceeding ten years.
8. Customer loyalty and marketing: the Data will be used to provide you with news and offers - through computerised contact methods (such as e-mail, sms) and/or traditional methods (such as regular mail) relating to the services offered by the Data Controller - and/or invitations to events, as well as to carry out market studies, statistical analyses and satisfaction surveys. The provision of Data is optional and failure to provide it or failure to authorise its processing will make it impossible to carry out the activities indicated therein. Legal basis of the processing: consent given by you as a Data Subject (Art. 6 par. 1 lett. a of the GDPR).  Data retention policy: Data processed for customer loyalty and marketing purposes may be retained until your freely given consent is withdrawn. At the time of collection and at the time each communication is sent, you will be informed of the possibility to refuse the Processing at any time, easily and free of charge.
9. Analysis: information relating to your interests and the way you use the website may be used in order to assess personal aspects, analyse or predict aspects relating to consumption and consumption preferences, age range or geographical location, in order to segment Users into homogeneous categories (e.g. consumption, spending, etc.), by implementing data analysis models, statistical algorithms, predictive models and aggregations. Legal basis of the processing: the Processing is carried out anonymously for statistical purposes (art.89 of the GDPR). Data retention policy: the Data processed for the Analysis activity may be retained, in anonymous form, for as long as necessary.
10. Sending communications for products or services similar to those requested: your Data provided (in particular your e-mail address) in the context of a commercial transition may be used by the Data Controller to forward promotional communications relating to products or services similar to those covered by the sale. Legal basis of the processing: to pursue a legitimate interest of the Data Controller consisting in promoting its products or services similar to those previously purchased by the Data Subject (art. 6 par. 1 lett. f of the GDPR, in conjunction with art.130 par. 4 of the Privacy Code). Data retention policy: Data processed for the purpose of sending communications for similar products or services may be retained until the right to object to the processing is exercised. When each communication is sent, you will be informed of the possibility to refuse the Processing at any time, easily and free of charge.
11. Social Network Interactions: Your Data may be processed in order to allow you to interact through our Social Networks, as provided by the functionalities offered by the website. The information collected will include data relating to your activities, private messages, comments and your interactions with the Data Controller's social channels. Legal basis of the processing: to implement pre-contractual measures (art.6 par.1 lett. b of the GDPR). Data retention policy: the Data will be kept for the time strictly necessary to pursue the purposes for which it was collected.

If the Data Controller intends to process your Data for purposes other than those described above, it is obliged to inform you of such further purposes before Processing.

Data processing methods
In relation to the aforementioned purposes, the Company carries out Data Processing according to the security measures set out in Article 32 of the GDPR by means of manual, computerised and telematic tools, designed to store, manage and transfer the Data, for the sole purpose of pursuing the aims for which they were collected and, in any case, in a manner that guarantees their security and confidentiality, as well as compliance with the principles of correctness, lawfulness and transparency. Although it is not possible to guarantee security from intrusion for the transmission of data that takes place on the Internet and websites, the Company and the subcontractors and business partners it has identified make every effort to ensure physical, electronic and procedural safeguards to protect your personal data in accordance with data protection requirements. We adopt, among others, measures such as:

• the strict restriction of access to your personal data, on a need-to-know basis and for the purposes disclosed only;
• the transfer of collected data, where deemed appropriate for specific needs, only to specifically named parties;
• IT firewall systems to prohibit unauthorised access;
• permanent monitoring of access to IT systems to detect and stop misuse of personal data.

Purchase operations through the EtooPharma S.r.l. website are protected by suitable security systems (e.g. Https Protocol). The payment management services allow the Data Controller to process payments by credit card, bank transfer or other instruments (e.g. Sofort, Klarna, iDEAL, EPS, Bancontact, Paypal, Scalapay, klarna, Doofinder, CDN systems, etc). The data used for payment are directly collected by the operator of the payment service requested, without being processed by the Data Controller, except for the outcome of the transaction. Some of these services may also provide for the scheduled sending of messages to the Interested Party, such as e-mails containing invoices or notifications concerning payment. The user is invited to read the relevant information on the operator's web pages on this matter.

If we have provided you (or you have chosen) a password that allows you to access some sections of our website or other portals, applications or services provided by the Company, you will be responsible for maintaining the confidentiality of that password and for complying with any other security procedures that we may have in place. We ask you not to share your access credentials (including your password) with anyone. 

The Data Controller carries out Processes that consist in automated decision-making processes on the Data processed.

Area of data communication
Your Data may be made accessible to:

• employees and associates of the Company as persons authorised and/or designated to the Processing and/or system administrators,
• business partners or external third parties who - on behalf of the Data Controller - carry out activities in outsourcing for support, administrative, accounting, tax purposes or for purposes related to the management of the supply or legal protection relationship;
• other third parties in order to perform the services specifically requested. These third parties are only provided with the information necessary to perform their functions;
• supervisory authorities, judicial authorities as well as to all institutional bodies to which communication is required by law for the fulfilment of the purposes mentioned above.

Transfer of data to a third country or international organisation
Personal data are processed within the European Union and stored on servers located there. It is in any case understood that the Data Controller, if necessary, shall have the right to transmit such data to a third country or international organisation and/or move the servers also outside the EU. In such case, the Data Controller guarantees as of now that the transfer of data outside the EU will take place according to the applicable legal provisions, as set out in Art. 44 of the Privacy Code and Art. 46 et seq. of the GDPR.

Rights of the Interested Party
The Company informs you that, according to current legislation on the protection of personal data, you may at any time exercise specific rights - as set out in Articles 15-22 of the GDPR - and in particular you may ask the Data Controller:

1. the right of access, i.e. the possibility to obtain from the Controller the confirmation whether or not personal data are being processed and, if so, to obtain access to your personal data;
2. the right to rectification, including supplementation of incomplete personal data;
3. the right to delete the data without delay upon request of the person interested and mandatory if:
   • the personal data are no longer necessary in relation to the purposes of the Processing;
   • the consent on which the Processing is based is revoked and there is no other legal basis for the Processing;
   • the personal data have been processed unlawfully;
   • the personal data must be deleted in order to comply with a legal obligation under EU or Member State law;
   • the Interested Party refuses the Processing and there is no legitimate prevailing reason to proceed with the Processing, or when he/she refuses the Processing in the cases provided by Article 21(2) of the GDPR (personal data processed for direct marketing purposes);
4. the right to restriction of the Processing if the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the Processing is unlawful and/or the Interested Party opposes the Processing and requests its restriction;
5. the right to the portability of personal data as the right to receive from the Data Controller, in a structured, commonly used and machine-readable format, personal data and to transmit such data to another Data Controller, only if the Processing of such data is based on consent and only for data whose Processing is carried out by automated means;
6. the right to refuse the Processing of his/her personal data except for the right of the Data Controller to prove the existence of legitimate reasons to proceed with the Processing anyway;
7. the right to revoke the consent at any time, if the Processing is based on your explicit consent, without prejudice to the lawfulness of the Processing carried out until the revocation is exercised;
8. the right to complain to a supervisory authority of the Member State where he/she resides or habitually works or of the State where the alleged infringement has occurred, without prejudice to any other administrative or judicial remedy, in the event of infringement of the provisions of the Regulation mentioned above.

If you wish to receive further information on the Processing of your personal data and to exercise the rights indicated above, you may send a written request using the contact details provided in the ‘Data Controller’ section of this policy. In the event of a request for information regarding your data, the Data Controller will reply as soon as possible - unless this is impossible or involves a disproportionate effort - and in any case no later than thirty days from the request. Any impossibility or delay by the Controller in fulfilling requests will be adequately justified.

Last update: december 2024